Microsoft Cybersecurity Architect Expert SC-100
Get started today
Ultimate access to all questions.
You are managing an Azure subscription that hosts multiple virtual machines, with external access to ports 3389 (RDP) and 22 (SSH) disabled to enhance security. Your objective is to develop a solution that allows administrators to access these virtual machines securely for remote management. The solution should fulfill the following criteria:
- Avoid enabling ports 3389 and 22 from the internet.
- Grant access to the virtual machines only when necessary.
- Ensure administrators utilize the Azure portal for connecting to the virtual machines.
Which two actions should be part of your solution? Each correct action contributes to the solution. NOTE: Each correct selection is worth one point.
A. Configure Azure VPN Gateway.
B. Enable Just Enough Administration (JEA).
C. Configure Azure Bastion.
D. Enable just-in-time (JIT) VM access.
E. Enable Azure Active Directory (Azure AD) Privileged Identity Management (PIM) roles as virtual machine contributors.
You are managing an Azure subscription that hosts multiple virtual machines, with external access to ports 3389 (RDP) and 22 (SSH) disabled to enhance security. Your objective is to develop a solution that allows administrators to access these virtual machines securely for remote management. The solution should fulfill the following criteria:
- Avoid enabling ports 3389 and 22 from the internet.
- Grant access to the virtual machines only when necessary.
- Ensure administrators utilize the Azure portal for connecting to the virtual machines.
Which two actions should be part of your solution? Each correct action contributes to the solution. NOTE: Each correct selection is worth one point.
A. Configure Azure VPN Gateway. B. Enable Just Enough Administration (JEA). C. Configure Azure Bastion. D. Enable just-in-time (JIT) VM access. E. Enable Azure Active Directory (Azure AD) Privileged Identity Management (PIM) roles as virtual machine contributors.
Explanation:
C: Azure Bastion provides secure remote access to virtual machines directly through the Azure portal. It uses an RDP/SSH session over TLS on port 443, thus preventing the need to enable ports 3389 and 22 from the internet. Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It requires no public IP address, agent, or special client software, ensuring secure and seamless RDP/SSH connectivity to your virtual machines.
D: Just-in-time (JIT) VM access, a feature of Microsoft Defender for Cloud, locks down inbound traffic to your Azure Virtual Machines. This feature reduces exposure to attacks by allowing access only when required. With JIT enabled, administrators can request access to the VM, at which point a temporary allow rule is created. This ensures that administrators have necessary permissions only when required and prevents persistent access, aligning well with the need to provide permissions to connect the virtual machines only when required.